Cybercriminals tried to attack the Ukrainian energy sector / photo

The developer of anti-virus software ESET together with the government team for responding to computer emergencies in Ukraine CERT-UA revealed the details of a large-scale cyber attack on the Ukrainian energy sector, the implementation of which was prevented.

According to cybersecurity experts, this time cybercriminals used a new version of the malware Industroyer, which was already used in 2016 by the APT group Sandworm to cut off electricity in Ukraine.

“During the new attack, cybercriminals attempted to deploy Industroyer2 malware to high-voltage power substations in Ukraine. In addition to Industroyer2, Sandworm used several malware families to destroy data, including CaddyWiper, during the attack”, – ESET reported.

The devastating action was reportedly scheduled for April 8, 2022, but elements of the malware indicate that the attack was planned for at least two weeks.

According to ESET, malicious software called Industroyer was used to cut off electricity in Kyiv in December 2016. The previous version of Industroyer could interact with industrial control systems, which are typically used in electrical systems, including IEC-101, IEC-104, IEC 61850 and OPC DA.

While the new version of the threat – Industroyer2, implements only the IEC-104 protocol, which is used in electrical substations to connect to industrial equipment.

In addition to launching Industroyer2 on the ICS network, attackers have deployed a new version of malware to destroy information – CaddyWiper. According to ESET experts, this was done in order to slow down the recovery process and prevent electricity suppliers from regaining control of ICS consoles. In addition, this malware was probably used to hide Industroyer2 activity.

The first version of CaddyWiper was discovered by ESET researchers in Ukraine on March 14, 2022 during its deployment in the bank’s network. This malicious program destroys data and information about partitions from connected disks, causing the system to shut down and unable to recover.

In addition to CaddyWiper and Industroyer, additional malware for Linux and Solaris (ORCSHRED, SOLOSHRED and AWFULSHRED) has been detected in the power provider’s network. In particular, the worm and the destructive component in all available systems were used during the attacks.

Thus, ESET notes that Ukraine continues to be the target of numerous cyberattacks aimed at its critical infrastructure.

Cybersecurity experts add that Industroyer’s uniqueness lies in its ability to disrupt production management systems.

“Industroyer’s cybercriminals have a deep knowledge of industrial management systems. In addition, developing and testing such malicious software requires access to specialized equipment used in a specific industrial environment. The potential impact of such a threat can range from a simple shutdown electricity, cascading accidents to more serious damage to equipment. While the shutdown of such systems may disrupt the functioning of the vital services industry, “- summed up in ESET.